tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <>
Subject Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
Date Wed, 25 Sep 2002 01:58:58 GMT
Quoting Steve Downey <>:

> Perhaps you would prefer this exploit?
> Horrors! Velocity is insecure! 
> The DefaultServlet exploit is a general security problem in Tomcat. JSP may
> be 
> somewhat more vulnerable, due to the (somewhat naieve) expectation that the 
> source will be confidential, but it's not really JSP per se that is at
> fault.

Actually, there is a big difference here. You're assuming that Velocity macro
pages are programs (well, classes) like JSP's and therefore probably contain
security sensitive information. Usually what you'll see is something like this:

  #foreach($role in $roles)
    #if($fields.rolename && $fields.rolename==$role.rolename)
      <option selected="selected">$role.rolename</option>

This is a (very typical) snippet from a VM that does editing of Tomcat
users/roles database in one of my applications. I don't care if people see that
code at all because the template doesn't do anything but templating. The beef if
elsewhere (i.e. MVC).


PS. Glenn, my apologies, I was just answering a direct question.

This mail sent through IMP:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message